How to store sensitive data in Linux with Vault

Vaults is a sophisticated security tool used to keep various types of data (authentication keys, login info, etc.) safe. In this guide, we will show you how to use it to store and encrypt basic information. However, understand that Vault can also be used to store complex secrets like AWS passwords, API keys, SSH keys, and database login info. For more information on what you can do with the Vault tool, please check out their documentation.

Installing Vault on Linux

The Vault app needs to be installed on the system before we can go over how to use it to store secrets on your Linux system. To start the installation, open up a terminal window by pressing Ctrl + Alt + T or Ctrl + Shift + T on the keyboard. After that, follow the installation instructions down below that correspond with the Linux operating system you currently use.

Generic binary instructions

The generic binary installation is the best way to go on most Linux distributions, as it does not require any hard work to get going. There’s no need to mess with the Snap runtime, or dependencies like in the Arch Linux AUR. To start the installation of the Vault generic binary file, begin by downloading the latest release with the wget command below.

wget https://releases.hashicorp.com/vault/1.3.1/vault_1.3.1_linux_amd64.zip

After you’ve finished downloading the Vault ZIP archive, it is time to use the unzip command to decompress the binary. Using the unzip command, extract the file.

Note: Unzip is a standard utility used to extract ZIP archive files from the Linux command-line. If you do not have the Unzip app installed already, please head over to Pkgs.org, and click on the “unzip” package under the distribution you use to get started with it.

unzip vault_1.3.1_linux_amd64.zip

Once the unzip command is run, a binary named “vault” will appear in your home directory. At this point, you must move this binary file into the /usr/bin/ directory, so that it can be called like any other program on the system.

sudo mv vault /usr/bin/

When the “vault” binary file is in the /usr/bin/ directory, you will be able to use the app by running the command below in any terminal window.

vault

Arch Linux AUR instructions

The Vault app is in the Arch Linux AUR. If you are using Arch Linux, you can get the app working by entering the following commands below.

sudo pacman -S git base-devel

git clone https://aur.archlinux.org/trizen.git

cd trizen

makepkg -sri

trizen -S vault-bin

Configuring the Vault server

The Vault app is a server that runs so that you can access your keys in a friendly web user interface. It can also be run on a network, and keys can be accessible over the internet; however, in this guide, we will only cover the local server.

As Vault is a server, on Linux, it needs to run from a terminal window. The problem is that running a terminal server can be confusing, especially if you’re new to Linux. To make things easier, we’re going to create a script that can run the server on the system without any need to fuss around.

To create the script open up a terminal window and use the touch command and create a blank file called vault-server.sh.

touch vault-server.sh

After creating the vault-server.sh file, open it up in the Nano text editor.

nano -w vault-server.sh

Paste the code below into the Nano text editor.

#!/bin/bash

vault server -dev > ~/vault-server-info.txt

Save the edits with Ctrl + O, and exit with Ctrl + X. Then, update the permissions of the file with the chmod command.

sudo chmod +x vault-server.sh

Accessing Vault

To access Vault, open up a terminal window and execute the script file with the command below.

./vault-server.sh

Upon launching the script, you will see a readout of the server in the terminal. However, this readout is ever-changing, so we’ve also piped it to a text file in the home directory. This text file is vault-server-info.txt.

Note: each time you launch Vault, the vault-server-info.txt will change. You must check it and copy the new token or login will not work.

Once the server is running, open up the Linux file manager, click on “Home,” open vault-server-info.txt, and copy the code after “Root Token:” to your clipboard. Then, launch your favorite web browser and go to the URL below.

localhost:8200/ui/

Stop the server

Need to stop the Vault server? Click on the terminal window currently running the script and press Ctrl + C.

Using Vault to store secrets

Now that the server is up and running, follow the step-by-step instructions below to learn how to keep your secrets safe in the Vault.

Step 1: Ensure you are logged into the Vault web UI in the web browser. Then, click on “Secrets” at the top of the page.

Step 2: Locate “Cubbyhole” and click on it with the mouse. Cubbyhole is the default secret engine that you can use for arbitrary data (passwords, personal info, access codes, etc.).

Step 3: Inside Cubbyhole, you will see a message that says, “No secrets in this backend yet.” Find the “Create secret” button, and click it with the mouse.

Step 4: Upon clicking “Create secret,” a pop-up will appear. In the pop-up, find “Path for this secret” and fill it out to describe the secret. For example, to store a “secret” containing your FTP server password, you’d write “FTP password” in the path box.

Step 5: Following the path, find “Secret data.” From here, find “key.” In the key box, enter a reference to the secret you’d like to store.

For example, if you are storing your FTP server password, you might enter the username to the server in “key.” If it is a note, you could write “note #1,” etc.

Step 6: Find “value” and enter the text you want to keep a secret. Once again, if, for example, this is a password (like an FTP server password), enter the password in the “value” box. Alternatively, fill out your note, API key, or anything else you’d like to secure as a secret.

Once all fields are filled out, click “Save” to save the secret to the Vault. To access your saved secrets, ensure the Vault server is running, log into the Web UI, and click on “Cubbyhole.”